IETF Logo Mail Archive

Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00

Wilmer van der Gaast <wilmer@google.com> Mon, 05 September 2011 17:26 UTC

Return-Path: <wilmer@google.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F75021F8A4D for <dnsext@ietfa.amsl.com>; Mon, 5 Sep 2011 10:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DO8eTjj-P0f for <dnsext@ietfa.amsl.com>; Mon, 5 Sep 2011 10:26:43 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 2B64621F8829 for <dnsext@ietf.org>; Mon, 5 Sep 2011 10:26:42 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id p85HSQru014772 for <dnsext@ietf.org>; Mon, 5 Sep 2011 10:28:27 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315243707; bh=TyNptKzxQV7BtcoMnCmIQcWUXKY=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=RS6H+rJ1wPgL1Y+pnR3kQSDdm8d9hIpFBmVOkVqo3t78lluXqN1MDViPfoII3T+fE BymjA+5GOiMWpkphtU1LQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=RHA4pqNhiE16tdUR2ouEaNwp9En3SUbfdxpNJR5f+yikTD1MupsYc0r4fzncaAHkB oEnk3PJOxqmWq7M5YP71Q==
Received: from ywm3 (ywm3.prod.google.com [10.192.13.3]) by wpaz9.hot.corp.google.com with ESMTP id p85HSPmw024645 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <dnsext@ietf.org>; Mon, 5 Sep 2011 10:28:25 -0700
Received: by ywm3 with SMTP id 3so4454072ywm.16 for <dnsext@ietf.org>; Mon, 05 Sep 2011 10:28:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=V/cVjR7OnhGWCFRJ84TuYPjx7xTf23Qd0yOUqEzSzok=; b=YzxvyM3760ClYpgg/xin99qm9hkCD+D+RbeG8VcL8ZuDCCpo6TtQ2J5s/FkYgkNsqt M7KEsFvBGw+POKoWLF9A==
Received: by 10.43.44.200 with SMTP id uh8mr3587153icb.241.1315243705224; Mon, 05 Sep 2011 10:28:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.43.44.200 with SMTP id uh8mr3587139icb.241.1315243704243; Mon, 05 Sep 2011 10:28:24 -0700 (PDT)
Received: by 10.231.16.69 with HTTP; Mon, 5 Sep 2011 10:28:24 -0700 (PDT)
In-Reply-To: <4e5f3343.cd06e70a.2596.ffffb1e7SMTPIN_ADDED@mx.google.com>
References: <20110830162134.GB84494@shinkuro.com> <4e5f3343.cd06e70a.2596.ffffb1e7SMTPIN_ADDED@mx.google.com>
Date: Mon, 05 Sep 2011 18:28:24 +0100
Message-ID: <CAMbvoaKZbFHJr--CcuH5Ue1ndMS2WxVdOxWP6EnXfcPQ4x4evw@mail.gmail.com>
From: Wilmer van der Gaast <wilmer@google.com>
To: Marc Lampo <marc.lampo@eurid.eu>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: dnsext@ietf.org
Subject: Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2011 17:26:44 -0000

On 1 September 2011 08:24, Marc Lampo <marc.lampo@eurid.eu> wrote:
> [...]
>
> For an authoritative name server, implementing DNSSEC and this RFC,
> it probably implies that it must be able to calculate RRSIG's "on the
> fly";
> Which implies that it must have access to the private part of DNSKEY's;
> Which implies that signing on a hidden master
> and distributing signed data to public slaves is not enough.

As someone else already pointed out, this is not strictly necessary.
Also, this is not specific to edns-client-subnet as there are
nameservers right now that use the query source IP to determine the
optimal response.

>From how I parse the DNSSEC specs, the OPT record is not signed
(wouldn't be possible without secret keys on the server anyway), so
edns-client-subnet doesn't change the situation.

It may still be reasonable to mention something along these lines in the I-D.

I assume the attack scenario you're talking about is sending queries
with many different source IP addresses/client-subnet options and
sending spoofed responses with no client-subnet option at all?


Regards,

-- 
Wilmer van der Gaast, Traffic SRE/Google Public DNS team.
Google Ireland.

v2.23.0 | Report a Bug | By Email